Database Security Truths: Orgs Still Struggling to Herd Info

Many organizations may be trying harder than ever to protect their sensitive data, driven by the fear of cyber-theft and failed compliance audits, but they are still struggling to manage the fundamental issue of where all their critical information resides and who exactly has access to it, experts maintain.

While emerging security and compliance programs are having a positive effect, the sheer volume and variety of databases and access controls that companies are trying to keep track of continue to make it hard for organizations, particularly large enterprises, to effectively manage information security, according to Josh Shaul, vice president of product management at database security software maker Application Security Inc.

"The simple fact is that most enterprises have insufficient capabilities to understand where everything is and who has access, they're doing a better job of tracking where their most critical data may be, but with outlying development and poor access control, we're finding that it's still a huge problem in terms of companies having repositories of unsecured critical data that they didn't even know existed," Shaul said.

And while data security initiatives such as the PCI DSS standard have helped elevate the issue of data security internally, over-reliance on standards and a general atmosphere geared toward achieving "check box" compliance, versus truly addressing these problems holistically, have made it such that many organizations continue to overlook some of their most significant points of risk, said the expert.

"Compliance is having an impact, it's shining a light on some dark places that no one was looking at before and eliminating excuses not to work harder to manage database security more aggressively, but the emphasis on checking boxes is leading to some fundamental mistakes in terms of overall strategy," Shaul contends.

Another issue is that mandates including SOX and PCI are in some cases not specific enough in terms of the database controls they require, and rely too much on the interpretation of security standing by compliance auditors, who have different ideas regarding what is acceptable and what is not, he said.

One of the biggest problems is that database developers and administrators continue to struggle with the allocation and management of user controls and privileges, at least among the companies that Applications Security is working with.

Insufficient controls to prevent privilege escalation on the part of infiltrators and a lack of separation of duties among legitimate user accounts are making it easier for both internal and external assailants to have their way and find accessible information including credit card accounts and other forms of PII, Shaul said.

While more database administrators are being told that they must test such security controls to help address potential data theft, the process remains complex - and when organizations have failed to closely monitor all of the repositories that they maintain that may contain sensitive information, some databases merely go untested.

Predictably, based on the realities that it is seeing in the field among customers, Shaul said that Applications Security is trying to help more organizations align their security and compliance efforts to better address the root cause issues that leave data vulnerable.

"Marrying" the two areas of work will also help companies continue to make improvements even as IT budgets are cut amidst the troubling world economy, he said. An example of the strategy can be found in the latest version of the company's DbProtect security package, specifically in its user rights review capabilities, said Shaul.

New capabilities for understanding all of the rights-assignment and elimination factors that need to be considered when managing access, as well as achgieving compliance, are key to helping solve the problem, he said.

"People have been trying to address this problem for a while, but this is a process that sounds simple but is very hard to pull off; it's fairly straightforward to assess the distribution of rights, but the process of truly understanding the many roles within an organization, and things like inherited privileges, gets very deep very fast," he said.

Another way to help companies improve their chances of finding all their critical data and better controlling access is by integrating with other popular, adjacent technologies, specifically compliance automation systems and security information management platforms - with Applications Security having signed a deal to do so with enterprise GRC solutions vendor Archer Technologies earlier this year, adding to existing partnerships with companies including risk management solutions vendor SkyBox, among others.

"Both from a process and a technical approach, this whole pursuit of security and compliance has to be an integrated ecosystem," said Shaul. "CISOs are spending a lot of these types of platforms, and everything has got to plug in if we're really going to help them tackle the underlying issues."

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.